Explaining technology, software development, security, and other things. And we can't forget good BBQ.

Friday, July 5, 2013

Is it time to break email?

The email transport protocol, SMTP (Simple Mail Transport Protocol) , has been around over 30 years. It was standardized in 1982, in an RFC (Request For Comments), number 821. Everything involved is in the clear, with no encryption. It kept the protocol true to its name, simple.

Over the years, we've 'patched' SMTP with additional features, one of which is transport encryption. This is encryption when receiving or sending between SMTP clients and servers. The current RFC for this is 3207. In it, it lays how to implement TLS, transport layer security, with SMTP. TLS is optional, in all cases, and not required for SMTP. It does mention that we can make it required, but only for local delivery. Here's the section from the RFC:

A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension from damaging the interoperability of
the Internet's SMTP infrastructure. A publicly-referenced SMTP
server is an SMTP server which runs on port 25 of an Internet host
listed in the MX record (or A record if an MX record is not present)
for the domain name on the right hand side of an Internet mail
address.

What this is saying, is that when an SMTP server is configured to receive email from the internet, it can not require use of TLS. This means that when you send an email, unless you encrypt it yourself (with PGP or the like), the email is not encrypted when it goes out over the internet. Anyone with a packet sniffer in the right place can read your email.

Here's a simplified example of what happens when you send an email:

User at alice@gmail.com composes an email to bob@yahoo.com

Email is sent from Alice's email client to Gmail's SMTP server

Gmail's SMTP server sends the email Yahoo's SMTP server

Yahoo's SMTP server delivers the email into Bob's Inbox.

Bob's email client downloads the email from his Inbox. This uses IMAP, POP or Exchange.

When you set up your email client, one of the options is TLS. This option turns on TLS between you and your SMTP server. This option will encrypt the email being set to your SMTP server, step 2 in the example.

When the email is sent from Gmail's SMTP server to Yahoo's, due to the requirement of the RFC, it might be sent in the clear. Yahoo's SMTP is not allowed to force an encrypted session. In fact, some quick testing tells me that Yahoo's SMTP does not support TLS at all. So the email in step 3, will not be encrypted.

I believe it is time to break RFC3207 and REQUIRE TLS on publicly-referenced SMTP servers. This will help prevent entities from sniffing the traffic. Not only government, but also identity thieves, hackers and anyone else with packet sniffer.

In this day and age of everyone starting to force HTTPS on all our web browsing, telnet has fallen out of vogue, and ftp is replaced with sftp, isn't it time we start securing email?